[Minifilter] How can i get file name with extension in IRP_MN_QUERY_DIRECTORY?

I want to write a minifilter driver for detecting delete operation on files, i can handle that with microsoft minifilter delete sample.
i saw can not detect if file delete or move to “Recycle Bin”, i search about this problem and saw that can detect this operation with IRP_MJ_DIRECTORY_CONTROL in IRP_MN_QUERY_DIRECTORY.

But now my problem is with FltGetFileNameInformation or FltGetDestinationFileNameInformation i can get directory path without name.

How can i get file name and extension with full path? Is there a better way or suggestion?

For a ‘soft’ delete, that is a delete which goes to the recycler, it is implemented through rename processing. The file/directory gets renamed into a target name in the recycler path so you can detect the target name of the rename that has a path of one of the various recycler path names. Note that the target file name itself is not the same file name being ‘deleted’.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

Thank you Peter Scott!
My problem solved with IRP_MJ_SET_INFORMATION callback in FileRenameInformation and FileRenameInformationEx

But is it possible to get the file name and extension on IRP_MJ_DIRECTORY_CONTROL->IRP_MN_NOTIFY_CHANGE_DIRECTORY callback?

Are asking if you can get the file name of a file during the directory control query via the FltGFNI API? The file object being processed is that of the parent directory so no, you can’t in that context since it is the directory that is open and not the file. You can parse the content of the directory listing and build up the name but I suspect this is not what you are after.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295